Class: Arachni::Browser::Javascript

Inherits:

Object

• Object
• Arachni::Browser::Javascript

Includes:

UI::Output, Utilities

Defined in:

lib/arachni/browser/javascript.rb,
lib/arachni/browser/javascript/proxy.rb,
lib/arachni/browser/javascript/dom_monitor.rb,
lib/arachni/browser/javascript/taint_tracer.rb,
lib/arachni/browser/javascript/taint_tracer/frame.rb,
lib/arachni/browser/javascript/taint_tracer/sink/base.rb,
lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb,
lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb,
lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb

Overview

Provides access to the Arachni::Browser's JavaScript environment, mainly helps group and organize functionality related to our custom Javascript interfaces.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Defined Under Namespace

Classes: DOMMonitor, Proxy, TaintTracer

Constant Summary

TOKEN =

'arachni_js_namespace'

SCRIPT_BASE_URL =

Returns URL to use when requesting our custom JS scripts.

Returns:

• (String) —

  URL to use when requesting our custom JS scripts.

'https://javascript.browser.arachni/'

SCRIPT_LIBRARY =

Returns Filesystem directory containing the JS scripts.

Returns:

• (String) —

  Filesystem directory containing the JS scripts.

"#{File.dirname( __FILE__ )}/javascript/scripts/"

SCRIPT_SOURCES =

Dir.glob("#{SCRIPT_LIBRARY}*.js").inject({}) do |h, path|
    h.merge!( path => IO.read(path) )
end

NO_EVENTS_FOR_ELEMENTS =

Set.new(%w(
    base bdo br head html iframe meta param script style title link hr
))

EACH_DOM_ELEMENT_WITH_EVENTS_BATCH_SIZE =

300

EVENTS =

Set.new([
    :onclick,
    :ondblclick,
    :onmousedown,
    :onmousemove,
    :onmouseout,
    :onmouseover,
    :onmouseup,
    :onload,
    :onsubmit,
    :onselect,
    :onchange,
    :onfocus,
    :onblur,
    :onkeydown,
    :onkeypress,
    :onkeyup,
    :oninput,
    :onselect,
    :onchange,
    :onfocus,
    :onblur,
    :onkeydown,
    :onkeypress,
    :onkeyup,
    :oninput,
    :onchange,
    :onfocus,
    :onblur,
    :onfocus,
    :onblur,
    :onfocus,
    :onblur
])

Instance Attribute Summary

• #custom_code ⇒ String

  Inject custom JS code right after the initialization of the custom JS interfaces.

• #dom_monitor ⇒ DOMMonitor readonly

  Proxy for the `DOMMonitor` JS interface.

• #taint ⇒ String

  Taints to look for and trace in the JS data flow.

• #taint_tracer ⇒ TaintTracer readonly

  Proxy for the `TaintTracer` JS interface.

• #token ⇒ String

  Token used to namespace the injected JS code and avoid clashes.

Class Method Summary

• .events ⇒ Object

Instance Method Summary

• #data_flow_sinks ⇒ Array<Sink::DataFlow>

  JS data flow sink data.

• #debug_stub(*args) ⇒ String

  JS code which will call the `TaintTracer.debug`, browser-side JS function.

• #debugging_data ⇒ Object
• #dom_digest ⇒ String

  Digest of the current DOM tree (i.e. node names and their attributes without text-nodes).

• #dom_event_digest ⇒ String

  Digest of the available DOM events.

• #each_dom_element_with_events(whitelist = []) ⇒ Array<Hash>

  Information about all DOM elements, including any registered event listeners.

• #execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>

  JS execution flow sink data.

• #flush_data_flow_sinks ⇒ Array<Sink::DataFlow>

  Returns and clears #data_flow_sinks.

• #flush_execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>

  Returns and clears #execution_flow_sinks.

• #has_js_initializer?(response) ⇒ Bool

  `true` if the response HTTP::Message#body contains the code for the JS environment.

• #has_sinks? ⇒ Boolean
• #html?(response) ⇒ Boolean
• #initialize(browser) ⇒ Javascript constructor

  A new instance of Javascript.

• #inject(response) ⇒ Object
• #javascript?(response) ⇒ Boolean
• #log_data_flow_sink_stub(*args) ⇒ String

  JS code which will call the `TaintTracer.log_data_flow_sink`, browser-side, JS function.

• #log_execution_flow_sink_stub(*args) ⇒ String

  JS code which will call the `TaintTracer.log_execution_flow_sink`, browser-side, JS function.

• #ready? ⇒ Bool

  `true` if our custom JS environment has been initialized.

• #run(*args) ⇒ Object

  Result of `script`.

• #run_without_elements(*args) ⇒ Object

  Executes the given code but unwraps Watir elements.

• #serve(request, response) ⇒ Bool

  `true` if the request corresponded to a JS file and was served, `false` otherwise.

• #set_element_ids ⇒ Object

  Sets a custom ID attribute to elements with events but without a proper ID.

• #supported? ⇒ Bool

  `true` if there is support for our JS environment in the current page, `false` otherwise.

• #timeouts ⇒ Array<Array>

  Arguments for JS `setTimeout` calls.

• #wait_till_ready ⇒ Object

  Blocks until the browser page is ready.

Methods included from Utilities

#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from UI::Output

#debug?, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #included, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #unmute, #verbose?, #verbose_on

Constructor Details

#initialize(browser) ⇒ Javascript

Returns a new instance of Javascript.

Parameters:

• browser (Browser)

# File 'lib/arachni/browser/javascript.rb', line 105

def initialize( browser )
    @browser      = browser
    @taint_tracer = TaintTracer.new( self )
    @dom_monitor  = DOMMonitor.new( self )
end

Instance Attribute Details

#custom_code ⇒ String

Returns Inject custom JS code right after the initialization of the custom JS interfaces.

Returns:

• (String) —

  Inject custom JS code right after the initialization of the custom JS interfaces.

# File 'lib/arachni/browser/javascript.rb', line 90

def custom_code
  @custom_code
end

#dom_monitor ⇒ DOMMonitor (readonly)

Returns Proxy for the `DOMMonitor` JS interface.

Returns:

• (DOMMonitor) —

  Proxy for the `DOMMonitor` JS interface.

# File 'lib/arachni/browser/javascript.rb', line 94

def dom_monitor
  @dom_monitor
end

#taint ⇒ String

Returns Taints to look for and trace in the JS data flow.

Returns:

• (String) —

  Taints to look for and trace in the JS data flow.

# File 'lib/arachni/browser/javascript.rb', line 85

def taint
  @taint
end

#taint_tracer ⇒ TaintTracer (readonly)

Returns Proxy for the `TaintTracer` JS interface.

Returns:

• (TaintTracer) —

  Proxy for the `TaintTracer` JS interface.

# File 'lib/arachni/browser/javascript.rb', line 98

def taint_tracer
  @taint_tracer
end

#token ⇒ String

Returns Token used to namespace the injected JS code and avoid clashes.

Returns:

• (String) —

  Token used to namespace the injected JS code and avoid clashes.

# File 'lib/arachni/browser/javascript.rb', line 81

def token
  @token
end

Class Method Details

.events ⇒ Object

# File 'lib/arachni/browser/javascript.rb', line 100

def self.events
    EVENTS
end

Instance Method Details

#data_flow_sinks ⇒ Array<Sink::DataFlow>

Returns JS data flow sink data.

Returns:

• (Array<Sink::DataFlow>) —

  JS data flow sink data.

# File 'lib/arachni/browser/javascript.rb', line 230

def data_flow_sinks
    return [] if !supported?
    taint_tracer.data_flow_sinks[@taint] || []
end

#debug_stub(*args) ⇒ String

Returns JS code which will call the `TaintTracer.debug`, browser-side JS function.

Returns:

• (String) —

  JS code which will call the `TaintTracer.debug`, browser-side JS function.

# File 'lib/arachni/browser/javascript.rb', line 155

def debug_stub( *args )
    taint_tracer.stub.function( :debug, *args )
end

#debugging_data ⇒ Object

# File 'lib/arachni/browser/javascript.rb', line 218

def debugging_data
    return [] if !supported?
    taint_tracer.debugging_data
end

#dom_digest ⇒ String

Returns Digest of the current DOM tree (i.e. node names and their attributes without text-nodes).

Returns:

• (String) —

  Digest of the current DOM tree (i.e. node names and their attributes without text-nodes).

# File 'lib/arachni/browser/javascript.rb', line 256

def dom_digest
    return '' if !supported?
    dom_monitor.digest
end

#dom_event_digest ⇒ String

Returns Digest of the available DOM events.

Returns:

• (String) —

  Digest of the available DOM events.

# File 'lib/arachni/browser/javascript.rb', line 263

def dom_event_digest
    return '' if !supported?
    dom_monitor.event_digest
end

#each_dom_element_with_events(whitelist = []) ⇒ Array<Hash>

Note:

Will not include custom events.

Returns Information about all DOM elements, including any registered event listeners.

Returns:

• (Array<Hash>) —

  Information about all DOM elements, including any registered event listeners.

# File 'lib/arachni/browser/javascript.rb', line 272

def each_dom_element_with_events( whitelist = [] )
    return if !supported?

    start      = 0
    batch_size = EACH_DOM_ELEMENT_WITH_EVENTS_BATCH_SIZE

    loop do
        elements = dom_monitor.elements_with_events( start, batch_size, whitelist )
        return if elements.empty?

        elements.each do |element|
            next if NO_EVENTS_FOR_ELEMENTS.include? element['tag_name']

            events = {}
            element['events'].each do |event, handlers|
                events[event.to_sym] = handlers
            end
            element['events'] = events

            yield element
        end

        return if elements.size < batch_size

        start += elements.size
    end
end

#execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>

Returns JS execution flow sink data.

Returns:

• (Array<Sink::ExecutionFlow>) —

  JS execution flow sink data.

# File 'lib/arachni/browser/javascript.rb', line 224

def execution_flow_sinks
    return [] if !supported?
    taint_tracer.execution_flow_sinks
end

#flush_data_flow_sinks ⇒ Array<Sink::DataFlow>

Returns and clears #data_flow_sinks.

Returns:

• (Array<Sink::DataFlow>) —

  Returns and clears #data_flow_sinks.

# File 'lib/arachni/browser/javascript.rb', line 242

def flush_data_flow_sinks
    return [] if !supported?
    taint_tracer.flush_data_flow_sinks[@taint] || []
end

#flush_execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>

Returns and clears #execution_flow_sinks.

Returns:

• (Array<Sink::ExecutionFlow>) —

  Returns and clears #execution_flow_sinks.

# File 'lib/arachni/browser/javascript.rb', line 236

def flush_execution_flow_sinks
    return [] if !supported?
    taint_tracer.flush_execution_flow_sinks
end

#has_js_initializer?(response) ⇒ Bool

Returns `true` if the response HTTP::Message#body contains the code for the JS environment.

Parameters:

• response (HTTP::Response) —

  Response whose HTTP::Message#body to check.

Returns:

• (Bool) —

  `true` if the response HTTP::Message#body contains the code for the JS environment.

# File 'lib/arachni/browser/javascript.rb', line 129

def has_js_initializer?( response )
    response.body.include? js_initialization_signal
end

#has_sinks? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/browser/javascript.rb', line 212

def has_sinks?
    return false if !supported?
    taint_tracer.has_sinks( @taint )
end

#html?(response) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/browser/javascript.rb', line 403

def html?( response )
    # If the server says it's HTML dig deeper to ensure it.
    # We don't want wrong response headers messing up the JS env.
    response.html? && Parser.html?( response.body )
end

#inject(response) ⇒ Object

Note:

Will update the `Content-Length` header field.

Parameters:

• response (HTTP::Response) —

  Installs our custom JS interfaces in the given `response`.

See Also:

• SCRIPT_BASE_URL
• SCRIPT_LIBRARY

# File 'lib/arachni/browser/javascript.rb', line 336

def inject( response )
    # Don't intercept our own stuff!
    return if response.url.start_with?( SCRIPT_BASE_URL )

    # If it's a JS file, update our JS interfaces in case it has stuff that
    # can be tracked.
    #
    # This is necessary because new files can be required dynamically.
    if javascript?( response )

        response.body.insert 0, <<-EOCODE
            #{js_comment}
            #{taint_tracer.stub.function( :update_tracers )};
            #{dom_monitor.stub.function( :update_trackers )};
        EOCODE
        response.body << ";\n"

    # Already has the JS initializer, so it's an HTML response; just update
    # taints and custom code.
    elsif has_js_initializer?( response )

        update_taints( response.body, response )
        update_custom_code( response.body )

    elsif html?( response )

        # Perform an update before each script.
        response.body.gsub!(
            /<script.*?>/i,
            "\\0\n
            #{js_comment}
            #{@taint_tracer.stub.function( :update_tracers )};
            #{@dom_monitor.stub.function( :update_trackers )};\n\n"
        )

        # Perform an update after each script.
        response.body.gsub!(
            /<\/script>/i,
            "\\0\n<script type=\"text/javascript\">" <<
                "#{@taint_tracer.stub.function( :update_tracers )};" <<
                "#{@dom_monitor.stub.function( :update_trackers )};" <<
                "</script> #{html_comment}\n"
        )

        # Include and initialize our JS interfaces.
        response.body.insert 0, <<-EOHTML
<script src="#{script_url_for( :polyfills )}"></script> #{html_comment}
<script src="#{script_url_for( :taint_tracer )}"></script> #{html_comment}
<script src="#{script_url_for( :dom_monitor )}"></script> #{html_comment}
<script>
#{wrapped_dom_monitor_initializer}
#{wrapped_taint_tracer_initializer( response )}
#{js_initialization_signal};

#{wrapped_custom_code}
</script> #{html_comment}
        EOHTML

    end

    true
end

#javascript?(response) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/browser/javascript.rb', line 399

def javascript?( response )
    response.headers.content_type.to_s.downcase.include?( 'javascript' )
end

#log_data_flow_sink_stub(*args) ⇒ String

Returns JS code which will call the `TaintTracer.log_data_flow_sink`, browser-side, JS function.

Returns:

• (String) —

  JS code which will call the `TaintTracer.log_data_flow_sink`, browser-side, JS function.

# File 'lib/arachni/browser/javascript.rb', line 149

def log_data_flow_sink_stub( *args )
    taint_tracer.stub.function( :log_data_flow_sink, *args )
end

#log_execution_flow_sink_stub(*args) ⇒ String

Returns JS code which will call the `TaintTracer.log_execution_flow_sink`, browser-side, JS function.

Returns:

• (String) —

  JS code which will call the `TaintTracer.log_execution_flow_sink`, browser-side, JS function.

# File 'lib/arachni/browser/javascript.rb', line 142

def log_execution_flow_sink_stub( *args )
    taint_tracer.stub.function( :log_execution_flow_sink, *args )
end

#ready? ⇒ Bool

Returns `true` if our custom JS environment has been initialized.

Returns:

• (Bool) —

  `true` if our custom JS environment has been initialized.

# File 'lib/arachni/browser/javascript.rb', line 185

def ready?
    run( "return (typeof window._#{token} !== 'undefined' && document.readyState === 'complete')" )
rescue => e
    print_debug_exception e, 2
    false
end

#run(*args) ⇒ Object

Returns Result of `script`.

Parameters:

• script (String) —

  JS code to execute.

Returns:

• (Object) —

  Result of `script`.

# File 'lib/arachni/browser/javascript.rb', line 197

def run( *args )
    @browser.selenium.execute_script *args
end

#run_without_elements(*args) ⇒ Object

Executes the given code but unwraps Watir elements.

Parameters:

• script (String) —

  JS code to execute.

Returns:

• (Object) —

  Result of `script`.

# File 'lib/arachni/browser/javascript.rb', line 208

def run_without_elements( *args )
    unwrap_elements run( *args )
end

#serve(request, response) ⇒ Bool

Returns `true` if the request corresponded to a JS file and was served, `false` otherwise.

Parameters:

• request (HTTP::Request) —

  Request to process.

• response (HTTP::Response) —

  Response to populate.

Returns:

• (Bool) —

  `true` if the request corresponded to a JS file and was served, `false` otherwise.

See Also:

• SCRIPT_BASE_URL
• SCRIPT_LIBRARY

# File 'lib/arachni/browser/javascript.rb', line 318

def serve( request, response )
    return false if !request.url.start_with?( SCRIPT_BASE_URL ) ||
        !(script = read_script( request.parsed_url.path ))

    response.code = 200
    response.body = script
    response.headers['content-type']   = 'text/javascript'
    response.headers['content-length'] = script.bytesize
    true
end

#set_element_ids ⇒ Object

Sets a custom ID attribute to elements with events but without a proper ID.

# File 'lib/arachni/browser/javascript.rb', line 248

def set_element_ids
    return '' if !supported?
    dom_monitor.setElementIds
end

#supported? ⇒ Bool

Returns `true` if there is support for our JS environment in the current page, `false` otherwise.

Returns:

• (Bool) —

  `true` if there is support for our JS environment in the current page, `false` otherwise.

See Also:

• #has_js_initializer?

# File 'lib/arachni/browser/javascript.rb', line 116

def supported?
    # We won't have a response if the browser was steered towards an
    # out-of-scope resource.
    response = @browser.response
    response && has_js_initializer?( response )
end

#timeouts ⇒ Array<Array>

Returns Arguments for JS `setTimeout` calls.

Returns:

• (Array<Array>) —

  Arguments for JS `setTimeout` calls.

# File 'lib/arachni/browser/javascript.rb', line 302

def timeouts
    return [] if !supported?
    dom_monitor.timeouts
end

#wait_till_ready ⇒ Object

Blocks until the browser page is ready.

# File 'lib/arachni/browser/javascript.rb', line 160

def wait_till_ready
    print_debug_level_2 'Waiting for custom JS...'

    if !supported?
        print_debug_level_2 '...unsupported.'
        return
    end

    t = Time.now

    while !ready?
        sleep 0.1

        if Time.now - t > Options.browser_cluster.job_timeout
            print_debug_level_2 '...timed out.'
            return
        end
    end

    print_debug_level_2 '...done.'
    true
end